Remove unnecessary extra variable definitions

The world could do with a bit less YAML!

ansible/host_vars/restic/main.yml

@@ -3,7 +3,5 @@ restic_backup_locations:
   - /mnt/host/mnt/speed
   - /mnt/host/etc/pve
   - /mnt/home-assistant
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
 
 restic_forget: true
-restic_forget_healthchecks_id: "{{ vault_restic_forget_healthchecks_id }}"

ansible/host_vars/walker/main.yml

@@ -1,3 +1,2 @@
 restic_backup_locations:
   - /opt
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"

ansible/roles/authentik/files/docker-compose.yml

@@ -6,18 +6,18 @@ x-env: &env
   - AUTHENTIK_POSTGRESQL__HOST=db
   - AUTHENTIK_POSTGRESQL__USER=authentik
   - AUTHENTIK_POSTGRESQL__NAME=authentik
-  - AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
+  - AUTHENTIK_POSTGRESQL__PASSWORD={{ vault_authentik_db_password }}
-  - AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
+  - AUTHENTIK_SECRET_KEY={{ vault_authentik_secret_key }}
   - AUTHENTIK_WEB__WORKERS=1
   - AUTHENTIK_DISABLE_UPDATE_CHECK=true
   - AUTHENTIK_ERROR_REPORTING__ENABLED=false
   - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
   - AUTHENTIK_EMAIL__HOST=smtp.eu.mailgun.org
   - AUTHENTIK_EMAIL__PORT=465
-  - AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
+  - AUTHENTIK_EMAIL__USERNAME={{ vault_authentik_email_username }}
-  - AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
+  - AUTHENTIK_EMAIL__PASSWORD={{ vault_authentik_email_password }}
   - AUTHENTIK_EMAIL__USE_TLS=true
-  - AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
+  - AUTHENTIK_EMAIL__FROM={{ vault_authentik_email_from }}
 
 services:
   server:
@@ -64,7 +64,7 @@ services:
     volumes:
       - /mnt/speed/dbs/postgres/authentik:/var/lib/postgresql/data
     environment:
-      - POSTGRES_PASSWORD={{ authentik_db_password }}
+      - POSTGRES_PASSWORD={{ vault_authentik_db_password }}
       - POSTGRES_USER=authentik
 
   redis:

ansible/roles/authentik/vars/main.yml

@@ -1,5 +0,0 @@
-authentik_db_password: "{{ vault_authentik_db_password }}"
-authentik_secret_key: "{{ vault_authentik_secret_key }}"
-authentik_email_username: "{{ vault_authentik_email_username }}"
-authentik_email_password: "{{ vault_authentik_email_password }}"
-authentik_email_from: "{{ vault_authentik_email_from }}"

ansible/roles/commento/files/docker-compose.yml

@@ -17,15 +17,15 @@ services:
       - COMMENTO_ORIGIN=https://commento.theorangeone.net
       - COMMENTO_GZIP_STATIC=true
       - COMMENTO_FORBID_NEW_OWNERS=true
-      - COMMENTO_GITHUB_KEY={{ commento_github_client_id }}
+      - COMMENTO_GITHUB_KEY={{ vault_commento_github_client_id }}
-      - COMMENTO_GITHUB_SECRET={{ commento_github_client_secret }}
+      - COMMENTO_GITHUB_SECRET={{ vault_commento_github_client_secret }}
       - COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
       - COMMENTO_SMTP_PORT=587
-      - COMMENTO_SMTP_USERNAME={{ commento_smtp_username }}
+      - COMMENTO_SMTP_USERNAME={{ vault_commento_smtp_username }}
-      - COMMENTO_SMTP_PASSWORD={{ commento_smtp_password }}
+      - COMMENTO_SMTP_PASSWORD={{ vault_commento_smtp_password }}
-      - COMMENTO_SMTP_FROM_ADDRESS={{ commento_from_email }}
+      - COMMENTO_SMTP_FROM_ADDRESS={{ vault_commento_from_email }}
-      - COMMENTO_GITLAB_KEY={{ commento_gitlab_application_id }}
+      - COMMENTO_GITLAB_KEY={{ vault_commento_gitlab_application_id }}
-      - COMMENTO_GITLAB_SECRET={{ commento_gitlab_application_secret }}
+      - COMMENTO_GITLAB_SECRET={{ vault_commento_gitlab_application_secret }}
 
   db:
     image: postgres:14-alpine

ansible/roles/commento/vars/main.yml

@@ -1,7 +0,0 @@
-commento_github_client_id: "{{ vault_commento_github_client_id }}"
-commento_github_client_secret: "{{ vault_commento_github_client_secret }}"
-commento_smtp_username: "{{ vault_commento_smtp_username }}"
-commento_smtp_password: "{{ vault_commento_smtp_password }}"
-commento_from_email: "{{ vault_commento_from_email }}"
-commento_gitlab_application_id: "{{ vault_commento_gitlab_application_id }}"
-commento_gitlab_application_secret: "{{ vault_commento_gitlab_application_secret }}"

ansible/roles/db_auto_backup/files/docker-compose.yml

@@ -8,7 +8,7 @@ services:
       - "{{ db_backups_dir }}:/var/backups"
     environment:
       - DOCKER_HOST=tcp://docker_proxy:2375
-      - HEALTHCHECKS_ID={{ db_auto_backup_healthchecks_id }}
+      - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
     depends_on:
       - docker_proxy
 

ansible/roles/db_auto_backup/vars/main.yml

@@ -1 +0,0 @@
-db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}"

ansible/roles/forrest/files/grafana/docker-compose.yml

@@ -15,9 +15,9 @@ services:
 
       - GF_SMTP_ENABLED=true
       - GF_SMTP_HOST=smtp.eu.mailgun.org:465
-      - GF_SMTP_USER={{ grafana_smtp_user }}
+      - GF_SMTP_USER={{ vault_grafana_smtp_user }}
-      - GF_SMTP_PASSWORD={{ grafana_smtp_password }}
+      - GF_SMTP_PASSWORD={{ vault_grafana_smtp_password }}
-      - GF_SMTP_FROM_ADDRESS={{ grafana_from_email }}
+      - GF_SMTP_FROM_ADDRESS={{ vault_grafana_from_email }}
       - GF_SMTP_FROM_NAME=grafana
     volumes:
       - "{{ app_data_dir }}/grafana:/var/lib/grafana"

ansible/roles/forrest/files/prometheus/alertmanager.yml

@@ -1,9 +1,9 @@
 global:
   resolve_timeout: 3m
   smtp_smarthost: smtp.eu.mailgun.org:465
-  smtp_from: "{{ alertmanager_from_address }}"
+  smtp_from: "{{ vault_alertmanager_from_address }}"
-  smtp_auth_username: "{{ alertmanager_from_address }}"
+  smtp_auth_username: "{{ vault_alertmanager_from_address }}"
-  smtp_auth_password: "{{ alertmanager_smtp_password }}"
+  smtp_auth_password: "{{ vault_alertmanager_smtp_password }}"
 
 route:
   receiver: default
@@ -11,5 +11,5 @@ route:
 receivers:
   - name: default
     email_configs:
-      - to: "{{ alertmanager_to_address }}"
+      - to: "{{ vault_alertmanager_to_address }}"
         send_resolved: true

ansible/roles/forrest/files/prometheus/docker-compose.yml

@@ -45,7 +45,7 @@ services:
     environment:
       - PVE_USER=prometheus@pve
       - PVE_TOKEN_NAME=prometheus
-      - PVE_TOKEN_VALUE={{ prometheus_api_token }}
+      - PVE_TOKEN_VALUE={{ vault_prometheus_api_token }}
       - PVE_VERIFY_SSL=false
 
   speedtest_exporter:

ansible/roles/forrest/files/prometheus/prometheus.yml

@@ -34,7 +34,7 @@ scrape_configs:
   - job_name: homeassistant
     metrics_path: /api/prometheus
     authorization:
-      credentials: "{{ homeassistant_token }}"
+      credentials: "{{ vault_homeassistant_token }}"
     metric_relabel_configs:
       - source_labels: [__name__]
         regex: python_.+
@@ -121,7 +121,7 @@ scrape_configs:
       module: [http]
     static_configs:
       - targets:
-          - https://hc-ping.com/{{ prometheus_healthcheck_uuid }}
+          - https://hc-ping.com/{{ vault_prometheus_healthcheck_uuid }}
     relabel_configs:
       - source_labels: [__address__]
         target_label: __param_target
@@ -132,7 +132,7 @@ scrape_configs:
 
   - job_name: healthchecks
     scheme: https
-    metrics_path: /projects/{{ healthchecks_project_uuid }}/metrics/{{ healthcheck_api_token }}
+    metrics_path: /projects/{{ vault_healthchecks_project_uuid }}/metrics/{{ vault_healthcheck_api_token }}
     static_configs:
       - targets: [healthchecks.io]
 

ansible/roles/forrest/vars/main.yml

@@ -1,11 +0,0 @@
-grafana_smtp_password: "{{ vault_grafana_smtp_password }}"
-grafana_smtp_user: "{{ vault_grafana_smtp_user }}"
-grafana_from_email: "{{ vault_grafana_from_email }}"
-homeassistant_token: "{{ vault_homeassistant_token }}"
-prometheus_healthcheck_uuid: "{{ vault_prometheus_healthcheck_uuid }}"
-healthchecks_project_uuid: "{{ vault_healthchecks_project_uuid }}"
-healthcheck_api_token: "{{ vault_healthcheck_api_token }}"
-alertmanager_from_address: "{{ vault_alertmanager_from_address }}"
-alertmanager_smtp_password: "{{ vault_alertmanager_smtp_password }}"
-alertmanager_to_address: "{{ vault_alertmanager_to_address }}"
-prometheus_api_token: "{{ vault_prometheus_api_token }}"

ansible/roles/gitea/files/app.ini

@@ -21,7 +21,7 @@ PROTOCOL                = http  # TLS termination done by Traefik
 ENABLE_GZIP             = true
 OFFLINE_MODE            = true
 LANDING_PAGE            = explore
-LFS_JWT_SECRET          = {{ lfs_jwt_secret }}
+LFS_JWT_SECRET          = {{ vault_lfs_jwt_secret }}
 
 [database]
 DB_TYPE  = postgres
@@ -39,8 +39,8 @@ LEVEL = warn
 
 [security]
 INSTALL_LOCK                  = true
-SECRET_KEY                    = {{ secret_key }}
+SECRET_KEY                    = {{ vault_secret_key }}
-INTERNAL_TOKEN                = {{ internal_token }}
+INTERNAL_TOKEN                = {{ vault_internal_token }}
 PASSWORD_HASH_ALGO            = pbkdf2
 COOKIE_USERNAME               = gitea_username
 COOKIE_REMEMBER_NAME          = gitea_remember
@@ -118,9 +118,9 @@ ALLOW_LOCALNETWORKS = true
 ENABLED        = true
 SMTP_ADDR      = smtp.eu.mailgun.org
 SMTP_PORT      = 465
-FROM           = "{{ mailer_from_address }}"
+FROM           = "{{ vault_mailer_from_address }}"
-USER           = "{{ mailer_user }}"
+USER           = "{{ vault_mailer_user }}"
-PASSWD         = "{{ mailer_password }}"
+PASSWD         = "{{ vault_mailer_password }}"
 PROTOCOL    = smtps
 
 [packages]
@@ -129,8 +129,8 @@ STORAGE_TYPE = backblaze
 [storage.backblaze]
 STORAGE_TYPE = minio
 MINIO_ENDPOINT = s3.eu-central-003.backblazeb2.com
-MINIO_ACCESS_KEY_ID = {{ backblaze_access_key_id }}
+MINIO_ACCESS_KEY_ID = {{ vault_backblaze_access_key_id }}
-MINIO_SECRET_ACCESS_KEY = {{ backblaze_secret_access_key }}
+MINIO_SECRET_ACCESS_KEY = {{ vault_backblaze_secret_access_key }}
 MINIO_BUCKET = 0rng-gitea
 MINIO_LOCATION = eu-central-003
 SERVE_DIRECT = true
@@ -140,4 +140,4 @@ MINIO_USE_SSL = true
 PATH = /mnt/repo-archive
 
 [oauth2]
-JWT_SECRET = {{ oauth2_jwt_secret }}
+JWT_SECRET = {{ vault_oauth2_jwt_secret }}

ansible/roles/gitea/vars/main.yml

@@ -1,9 +0,0 @@
-lfs_jwt_secret: "{{ vault_lfs_jwt_secret }}"
-secret_key: "{{ vault_secret_key }}"
-internal_token: "{{ vault_internal_token }}"
-oauth2_jwt_secret: "{{ vault_oauth2_jwt_secret }}"
-mailer_from_address: "{{ vault_mailer_from_address }}"
-mailer_user: "{{ vault_mailer_user }}"
-mailer_password: "{{ vault_mailer_password }}"
-backblaze_access_key_id: "{{ vault_backblaze_access_key_id }}"
-backblaze_secret_access_key: "{{ vault_backblaze_secret_access_key }}"

ansible/roles/gitea_runner/files/docker-compose.yml

@@ -10,7 +10,7 @@ services:
     environment:
       - TZ={{ timezone }}
       - GITEA_INSTANCE_URL=https://git.theorangeone.net
-      - GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea_runner_registration_token }}
+      - GITEA_RUNNER_REGISTRATION_TOKEN={{ vault_gitea_runner_registration_token }}
       - GITEA_RUNNER_NAME={{ ansible_hostname }}
       - GITEA_RUNNER_FETCH_INTERVAL=5s
       - GITEA_RUNNER_MAX_PARALLEL_JOBS={{ ansible_processor_nproc }}

ansible/roles/gitea_runner/vars/main.yml

@@ -1 +0,0 @@
-gitea_runner_registration_token: "{{ vault_gitea_runner_registration_token }}"

ansible/roles/mastodon/files/docker-compose.yml

@@ -12,10 +12,10 @@ services:
       - DATABASE_URL=postgresql://mastodon:mastodon@db/mastodon
       - REDIS_URL=redis://redis
       - SIDEKIQ_REDIS_URL=redis://redis/1
-      - SECRET_KEY_BASE={{ secret_key_base }}
+      - SECRET_KEY_BASE={{ vault_secret_key_base }}
-      - OTP_SECRET={{ otp_secret }}
+      - OTP_SECRET={{ vault_otp_secret }}
-      - VAPID_PRIVATE_KEY={{ vapid_private_key }}
+      - VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
-      - VAPID_PUBLIC_KEY={{ vapid_public_key }}
+      - VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
       - TRUSTED_PROXY_IP=172.20.0.1
       - SINGLE_USER_MODE=true
       - DEFAULT_LOCALE=en

ansible/roles/mastodon/vars/main.yml

@@ -1,4 +0,0 @@
-secret_key_base: "{{ vault_secret_key_base }}"
-otp_secret: "{{ vault_otp_secret }}"
-vapid_private_key: "{{ vault_vapid_private_key }}"
-vapid_public_key: "{{ vault_vapid_public_key }}"

ansible/roles/minio/files/docker-compose.yml

@@ -8,7 +8,7 @@ services:
     environment:
       - TZ=Europe/London
       - MINIO_ROOT_USER=jake
-      - MINIO_ROOT_PASSWORD={{ minio_root_password }}
+      - MINIO_ROOT_PASSWORD={{ vault_minio_root_password }}
     restart: unless-stopped
     labels:
       - traefik.enable=true

ansible/roles/minio/vars/main.yml

@@ -1 +0,0 @@
-minio_root_password: "{{ vault_minio_root_password }}"

ansible/roles/pihole/files/setup-vars.conf

@@ -7,7 +7,7 @@ CACHE_SIZE=10000
 DNS_FQDN_REQUIRED=true
 DNS_BOGUS_PRIV=true
 DNSMASQ_LISTENING=bind
-WEBPASSWORD={{ pihole_web_password | hash("sha256") | hash("sha256") }}
+WEBPASSWORD={{ vault_pihole_web_password | hash("sha256") | hash("sha256") }}
 BLOCKING_ENABLED=true
 DNSSEC=false
 REV_SERVER=false

ansible/roles/pihole/vars/main.yml

@@ -1 +0,0 @@
-pihole_web_password: "{{ vault_pihole_web_password }}"

ansible/roles/plausible/files/docker-compose.yml

@@ -25,21 +25,21 @@ services:
       - traefik.http.routers.plausible-embed.middlewares=plausible-index
 
     environment:
-      - SECRET_KEY_BASE={{ plausible_secret_key }}
+      - SECRET_KEY_BASE={{ vault_plausible_secret_key }}
-      - SIGNING_SALT={{ plausible_signing_salt }}
+      - SIGNING_SALT={{ vault_plausible_signing_salt }}
       - DATABASE_URL=postgres://plausible:plausible@db:5432/plausible
       - DISABLE_REGISTRATION=true
       - DISABLE_SUBSCRIPTION=true
       - CLICKHOUSE_DATABASE_URL=http://clickhouse:8123/plausible
       - BASE_URL=https://elbisualp.theorangeone.net
-      - GOOGLE_CLIENT_ID={{ plausible_google_client_id }}
+      - GOOGLE_CLIENT_ID={{ vault_plausible_google_client_id }}
-      - GOOGLE_CLIENT_SECRET={{ plausible_google_client_secret }}
+      - GOOGLE_CLIENT_SECRET={{ vault_plausible_google_client_secret }}
       - RELEASE_DISTRIBUTION=none
-      - MAILER_EMAIL={{ plausible_from_email }}
+      - MAILER_EMAIL={{ vault_plausible_from_email }}
       - SMTP_HOST_ADDR=smtp.eu.mailgun.org
       - SMTP_HOST_PORT=465
-      - SMTP_USER_NAME={{ plausible_smtp_user }}
+      - SMTP_USER_NAME={{ vault_plausible_smtp_user }}
-      - SMTP_USER_PWD={{ plausible_smtp_password }}
+      - SMTP_USER_PWD={{ vault_plausible_smtp_password }}
       - SMTP_HOST_SSL_ENABLED=true
 
   clickhouse:

ansible/roles/plausible/vars/main.yml

@@ -1,7 +0,0 @@
-plausible_secret_key: "{{ vault_plausible_secret_key }}"
-plausible_signing_salt: "{{ vault_plausible_signing_salt }}"
-plausible_google_client_id: "{{ vault_plausible_google_client_id }}"
-plausible_google_client_secret: "{{ vault_plausible_google_client_secret }}"
-plausible_from_email: "{{ vault_plausible_from_email }}"
-plausible_smtp_user: "{{ vault_plausible_smtp_user }}"
-plausible_smtp_password: "{{ vault_plausible_smtp_password }}"

ansible/roles/remark42/files/docker-compose.yml

@@ -13,15 +13,15 @@ services:
     environment:
       - APP_UID={{ docker_user.id }}
       - REMARK_URL=https://remark.theorangeone.net
-      - SECRET={{ remark_secret }}
+      - SECRET={{ vault_remark_secret }}
-      - ADMIN_PASSWD={{ remark_admin_password }}
+      - ADMIN_PASSWD={{ vault_remark_admin_password }}
       - SITE=theorangeone
       - TIME_ZONE={{ timezone }}
       - SMTP_HOST=smtp.eu.mailgun.org
-      - SMTP_USERNAME={{ remark_smtp_username }}
+      - SMTP_USERNAME={{ vault_remark_smtp_username }}
-      - SMTP_PASSWORD={{ remark_smtp_password }}
+      - SMTP_PASSWORD={{ vault_remark_smtp_password }}
-      - NOTIFY_EMAIL_FROM={{ remark_from_email }}
+      - NOTIFY_EMAIL_FROM={{ vault_remark_from_email }}
-      - AUTH_EMAIL_FROM={{ remark_from_email }}
+      - AUTH_EMAIL_FROM={{ vault_remark_from_email }}
       - SMTP_TLS=true
       - SMTP_PORT=465
       - ADMIN_EDIT=true
@@ -30,10 +30,10 @@ services:
       - EMOJI=true
       - DISABLE_SIGNATURE=true
       - AUTH_ANON=true
-      - AUTH_GITHUB_CID={{ remark_github_client_id }}
+      - AUTH_GITHUB_CID={{ vault_remark_github_client_id }}
-      - AUTH_GITHUB_CSEC={{ remark_github_client_secret }}
+      - AUTH_GITHUB_CSEC={{ vault_remark_github_client_secret }}
       - ALLOWED_HOSTS=remark.theorangeone.net,theorangeone.net
-      - ADMIN_SHARED_EMAIL={{ remark_admin_email }}
+      - ADMIN_SHARED_EMAIL={{ vault_remark_admin_email }}
     volumes:
       - ./remark:/srv/var
 

ansible/roles/remark42/vars/main.yml

@@ -1,8 +0,0 @@
-remark_github_client_id: "{{ vault_remark_github_client_id }}"
-remark_github_client_secret: "{{ vault_remark_github_client_secret }}"
-remark_smtp_username: "{{ vault_remark_smtp_username }}"
-remark_smtp_password: "{{ vault_remark_smtp_password }}"
-remark_from_email: "{{ vault_remark_from_email }}"
-remark_secret: "{{ vault_remark_secret }}"
-remark_admin_password: "{{ vault_remark_admin_password }}"
-remark_admin_email: "{{ vault_remark_admin_email }}"

ansible/roles/renovate/files/config.js

@@ -1,6 +1,6 @@
 module.exports = {
   endpoint: 'https://git.theorangeone.net/',
-  token: '{{ renovate_gitea_token }}',
+  token: '{{ vault_renovate_gitea_token }}',
   platform: 'gitea',
   //dryRun: true,
   autodiscover: true,

ansible/roles/renovate/files/docker-compose.yml

@@ -6,7 +6,7 @@ services:
     user: "{{ docker_user.id }}"
     environment:
       - TZ={{ timezone }}
-      - GITHUB_COM_TOKEN={{ renovate_github_token }}
+      - GITHUB_COM_TOKEN={{ vault_renovate_github_token }}
       - DOCKER_HOST=tcp://docker_proxy:2375
       - LOG_LEVEL=debug  # Noisy, but required for debugging
     restart: unless-stopped

ansible/roles/renovate/vars/main.yml

@@ -1,2 +0,0 @@
-renovate_gitea_token: "{{ vault_renovate_gitea_token }}"
-renovate_github_token: "{{ vault_renovate_github_token }}"

ansible/roles/restic/files/backrest.sh

@@ -17,10 +17,10 @@ mkdir -p "$RESTIC_LOG_DIR"
 
 # Run backup, and capture logs to file
 cron_backup() {
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_healthchecks_id }}/start
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_healthchecks_id }}/start
     restic --verbose backup --files-from=$HOME/restic-include.txt --exclude-file=$HOME/restic-excludes.txt | tee -a $RESTIC_LOG_FILE
     exit_code=${PIPESTATUS[0]}
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
     echo "Exit code: $exit_code"
 }
 
@@ -32,10 +32,10 @@ backup() {
 {% if restic_forget %}
 # Run forget and prune, and capture logs to file
 cron_forget() {
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_forget_healthchecks_id }}/start
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_forget_healthchecks_id }}/start
     restic forget --prune $FORGET_OPTIONS | tee -a $RESTIC_LOG_FILE
     exit_code=${PIPESTATUS[0]}
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_forget_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_forget_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
     echo "Exit code: $exit_code"
 }
 {% endif %}

ansible/roles/tandoor/files/docker-compose.yml

@@ -7,7 +7,7 @@ services:
       - TIMEZONE={{ timezone }}
       - DEBUG=0
       - ALLOWED_HOSTS=recipes.jakehoward.tech
-      - SECRET_KEY={{ tandoor_secret_key }}
+      - SECRET_KEY={{ vault_tandoor_secret_key }}
       - DATABASE_URL=postgres://tandoor:tandoor@db:5432/tandoor
       - DB_ENGINE=django.db.backends.postgresql
       - POSTGRES_HOST=db
@@ -17,10 +17,10 @@ services:
       - GUNICORN_MEDIA=1
       - EMAIL_HOST=smtp.eu.mailgun.org
       - EMAIL_PORT=465
-      - EMAIL_HOST_USER={{ tandoor_email_user }}
+      - EMAIL_HOST_USER={{ vault_tandoor_email_user }}
-      - EMAIL_HOST_PASSWORD={{ tandoor_email_password }}
+      - EMAIL_HOST_PASSWORD={{ vault_tandoor_email_password }}
       - EMAIL_USE_TLS=1
-      - DEFAULT_FROM_EMAIL={{ tandoor_email_from }}
+      - DEFAULT_FROM_EMAIL={{ vault_tandoor_email_from }}
     restart: unless-stopped
     labels:
       - traefik.enable=true

ansible/roles/tandoor/vars/main.yml

@@ -1,4 +0,0 @@
-tandoor_secret_key: "{{ vault_tandoor_secret_key }}"
-tandoor_email_user: "{{ vault_tandoor_email_user }}"
-tandoor_email_password: "{{ vault_tandoor_email_password }}"
-tandoor_email_from: "{{ vault_tandoor_email_from }}"

ansible/roles/traefik/files/docker-compose.yml

@@ -5,8 +5,8 @@ services:
     image: traefik:v2.10
     user: "{{ docker_user.id }}"
     environment:
-      - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
+      - CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
-      - GANDIV5_API_KEY={{ gandi_api_key }}
+      - GANDIV5_API_KEY={{ vault_gandi_api_key }}
     volumes:
       - /tmp/traefik-logs:/var/log/traefik
       - ./traefik:/etc/traefik

ansible/roles/traefik/files/traefik.yml

@@ -54,7 +54,7 @@ api:
 certificatesResolvers:
   le:
     acme:
-      email: "{{ letsencrypt_email }}"
+      email: "{{ vault_letsencrypt_email }}"
       storage: /etc/traefik/acme.json
       dnsChallenge:
         provider: cloudflare
@@ -65,7 +65,7 @@ certificatesResolvers:
 
   gandi:
     acme:
-      email: "{{ letsencrypt_email }}"
+      email: "{{ vault_letsencrypt_email }}"
       storage: /etc/traefik/acme.json
       dnsChallenge:
         provider: gandiv5

ansible/roles/traefik/vars/main.yml

@@ -1,3 +0,0 @@
-gandi_api_key: "{{ vault_gandi_api_key }}"
-letsencrypt_email: "{{ vault_letsencrypt_email }}"
-cloudflare_api_token: "{{ vault_cloudflare_api_token }}"

ansible/roles/vikunja/files/docker-compose.yml

@@ -11,7 +11,7 @@ services:
       - VIKUNJA_DATABASE_USER=vikunja
       - VIKUNJA_DATABASE_DATABASE=vikunja
       - VIKUNJA_SERVICE_FRONTENDURL=https://tasks.jakehoward.tech
-      - VIKUNJA_SERVICE_JWTSECRET="{{ jwt_secret }}"
+      - VIKUNJA_SERVICE_JWTSECRET="{{ vault_jwt_secret }}"
       - VIKUNJA_SERVICE_ENABLEREGISTRATION=false
       - VIKUNJA_SERVICE_TIMEZONE={{ timezone }}
       - VIKUNJA_REDIS_HOST=redis:6379
@@ -19,9 +19,9 @@ services:
       - VIKUNJA_LOG_PATH=/dev/stdout
       - VIKUNJA_KEYVALUE_TYPE=redis
       - VIKUNJA_MAILER_ENABLED=true
-      - VIKUNJA_MAIL_FROMEMAIL={{ from_email }}
+      - VIKUNJA_MAIL_FROMEMAIL={{ vault_from_email }}
-      - VIKUNJA_MAILER_USERNAME={{ smtp_username }}
+      - VIKUNJA_MAILER_USERNAME={{ vault_smtp_username }}
-      - VIKUNJA_MAILER_PASSWORD={{ smtp_password }}
+      - VIKUNJA_MAILER_PASSWORD={{ vault_smtp_password }}
       - VIKUNJA_MAILER_HOST=smtp.eu.mailgun.org
       - TZ={{ timezone }}
       - PUID={{ docker_user.id }}

ansible/roles/vikunja/vars/main.yml

@@ -1,4 +0,0 @@
-jwt_secret: "{{ vault_jwt_secret }}"
-from_email: "{{ vault_from_email }}"
-smtp_username: "{{ vault_smtp_username }}"
-smtp_password: "{{ vault_smtp_password }}"

ansible/roles/website/files/docker-compose.yml

@@ -8,14 +8,14 @@ x-website: &website
   environment:
     - TZ={{ timezone }}
     - DEBUG=false
-    - SECRET_KEY={{ website_secret_key }}
+    - SECRET_KEY={{ vault_website_secret_key }}
     - DATABASE_URL=postgres://website:website@db/website?conn_max_age=600
     - CACHE_URL=redis://redis/0
     - QUEUE_STORE_URL=redis://redis/1
     - RENDITION_CACHE_URL=redis://redis/2
     - SPOTIFY_PROXY_URL=http://spotify_public_proxy
-    - UNSPLASH_CLIENT_ID={{ unsplash_client_id }}
+    - UNSPLASH_CLIENT_ID={{ vault_unsplash_client_id }}
-    - SENTRY_DSN={{ website_sentry_dsn }}
+    - SENTRY_DSN={{ vault_website_sentry_dsn }}
     - BASE_HOSTNAME=theorangeone.net
     - WEB_CONCURRENCY=3
     - SEO_INDEX=true
@@ -80,9 +80,9 @@ services:
     restart: unless-stopped
     environment:
       - PORT=80
-      - SPOTIFY_CLIENT_ID={{ spotify_client_id }}
+      - SPOTIFY_CLIENT_ID={{ vault_spotify_client_id }}
-      - SPOTIFY_CLIENT_SECRET={{ spotify_client_secret }}
+      - SPOTIFY_CLIENT_SECRET={{ vault_spotify_client_secret }}
-      - SENTRY_DSN={{ spotify_sentry_dsn }}
+      - SENTRY_DSN={{ vault_spotify_sentry_dsn }}
 
 networks:
   traefik:

ansible/roles/website/vars/main.yml

@@ -1,6 +0,0 @@
-website_secret_key: "{{ vault_website_secret_key }}"
-website_sentry_dsn: "{{ vault_website_sentry_dsn }}"
-unsplash_client_id: "{{ vault_unsplash_client_id }}"
-spotify_client_id: "{{ vault_spotify_client_id }}"
-spotify_client_secret: "{{ vault_spotify_client_secret }}"
-spotify_sentry_dsn: "{{ vault_spotify_sentry_dsn }}"